VIRUS-L Digest Wednesday, 10 Apr 1991 Volume 4 : Issue 57 Today's Topics: re: PKLITE and hidden virus (PC) Re: Review of Norton Antivirus (PC) re: VPCScan Demo Version (PC) Possible HyperCard virus (mac) Script to kill new HC (and all other HC) viruses/trojans, etc. (Mac) Protection of Sun PC-NFS server (UNIX) (PC) Re: Unix viruses and damaging programs (UNIX) Is virus infection by inserting floppy disk possible? (PC) (Mac) Modems How big is the virus problem ?? MS-DOS Protection (PC) Need help with Beijing Virus (PC) McAfee files v76 (PC) Questions concerning IBM anti-viral programs Virus Program Information request Stoned virus (PC) Do I have a virus? (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Mon, 08 Apr 91 13:02:51 >From: microsoft!c-rossgr@uunet.uu.net Subject: re: PKLITE and hidden virus (PC) >Date: Fri, 15 Mar 91 16:12:59 -0500 >From: Jim Pinson > >I know some of the virus scanners will look within executable files >that have been compressed with LZEXE. I believe they scan both before >and after expansion. > >Lately I have been using PKLITE to compress executables, and wonder if >any Virus scanners are capable of looking within the compressed files. > >Does anyone have any info on the subject? Jim, by the time you read this the next demo version of the Virex-PC scanner should be available. Virex-PC now handles PKLITE compressed files as well as LZEXE compressed files. Next step: LH compressed and .ZIP files. I should have responded to this earlier, but I've been in "one-last-bug" mode for the last month. The demo gets released today - -- just writing the final cut of the docs for it. The old one handled 150 strings, this one handles 350. The old one was faster, so's this one. Grab a copy, and lemme know what you think? Oh! I convinced The Powers That Be at Microcom to let me release monthly (or near monthly) updates of the free scanner. Stay tuned! Ross M. Greenberg Author, Virex-PC & FLU_SHOT+ ------------------------------ Date: Mon, 08 Apr 91 13:55:49 >From: microsoft!c-rossgr@uunet.uu.net Subject: Re: Review of Norton Antivirus (PC) >Date: Thu, 28 Mar 91 16:13:24 +0000 >From: tzdroj@hpuxa.acs.ohio-state.edu (Tomasz R. Zdrojewski) > >The NAV program is not suitable for normal virus removal. It a >personal test, I was able to infect my command.com, NAV itself and >quite a few other files. The program ignored the sample virus I ran >and said the system was fine. I would only recommend it for its >ability to add new virus tags. Not to take away from Norton's new entry in the anti-virus field, lots of scanners have the ability to add new virus tags through an external file, including my own. In fact, to document this file for the first time publicly: 1) The file must be on the C: drive in a directory called "C:\VIREXPC" 2) The file must be called "VIREXPC.VIR" 3) The file consists of lines. Each line starts with a 'P', a 'B' or a '#'. A line starting with a '#' is a comment line. A line starting with a 'P' is a "Program Virus" A line starting with a 'B' is a "Boot Virus" 4) Following the 'B' or 'P' is a single space. 5) Following the single space is the hex representation of upto sixteen bytes of signature information. Although you may have less then sixteen bytes, you must have at least ten bytes. Additionally, you must have an even number of bytes. This is the ASCII representation of the value of these signature bytes: If searching for 'AB', then the resulting hex search string would be "4141". 6) Optionally, after the signature bytes maybe come a checksum and a "nasty" flag. If you're including either, follow the signature bytes by a single space. If the virus is a "nasty" virus -- one that you'd want to halt the scanner if you find it in memory, use the "Nasty Virus" flag: a single exclamation point. The checksum is a simple unsigned checksum of the signature byte's real value: not the value of the ASCII representation of these values, but the actual values. An example: # This here is a comment P ProgVName 123434565678789090121234 1234! No, the checksums don't add up on that example. Ross M. Greenberg Author, Virex-PC & FLU_SHOT+ ------------------------------ Date: Mon, 08 Apr 91 13:38:40 >From: microsoft!c-rossgr@uunet.uu.net Subject: re: VPCScan Demo Version (PC) >Date: Wed, 27 Mar 91 11:49:57 -0700 >From: Chris McDonald Sorry for the delay, Chris: why is the last 1% of any new release always the hardest part to get out the door? >As a registered user of Ross Greenberg's program Flu-Shot+, I received >a demonstration version of VPCScan of the commercial program Virex-PC >bundled within version 1.8 of Flu-Shot+. I used the demonstration for >several days, and then purchased the full commercial product. Ah hah! The clever marketing ploy worked! You used the demo, then bought the product. I'll tell the marketing guy at Microcom - he'll be pleased. Don't worry: I get serious in just a sec.... >Since I routinely evaluate security-related software products for my >agency, I had occasion to run the demonstration version on Tuesday, 26 >March since I wanted to compare its feature against the actual >commercial product. I received the following message prior to the >execution of the demo: "This demonstration expires in 6 days." This >morning I ran the demo again, and the counter was down to "5 days". I >am waiting with anticipation to see what happens on April 1st. > >I must note that the read.me file contained within Flu-Shot+ which >described the demo at no time indicated a shelf life. In fact, the >file states: "This demo may be distributed freely, but may not be sold >without the express written permission of Microcom, Inc. and Ross M. >Greenberg." I have no objection to someone offering a demo, or in >encouraging that someone "freely" distribute it under the vendor's >instructions. > >I would think that it sure would have been nice to have included some >type of statement in the read.me file alerting REGISTERED, fee paying >customers of Flu-Shot+ of the demo's expiration date--particularly >when it appears April 1st is the drop-dead date. You're 100% absolutely right, Chris. Not sticking in some information regarding the drop-dead date was a dumb mistake on my part -- I wish I could blame it on somebody else. The new scanner (discussed below) has a drop-dead date of September 1, 1991. Between now and then, I expect to release a number of new demos, each updated with new features and new strings. Until the July release, or thereabout, all of them will have the 9/1/91 drop-dead date. Starting with the July release the drop-dead date will be somewhat further removed into the future: I'm not sure what I'll set it for, but I'll certainly let it be known in advance: a bonehead mistake like letting the expiration date on the current scanner lapse before releasing the new one should never have happened. Did I mention how much I hate Windows at all recently? :-) Picking a date back in October of 1990 (allowing for what was supposed to be six months of operation sounded so good on paper, too: I never thought about an expiry of April 1 having any significance. Yeah, that was dumb, too.) >Since I know Ross has access to this forum, I would simply like to ask >if this was a designed feature on his and Microcom's part, or whether >I perhaps have a "hacked" version of Flu-Shot+. Nope. No hacked version of the code. Just stupidity on my part. However, now that I'm done with the Windows version of the code, I've gotten some commonsense back. I'm better now! :-) Ross M. Greenberg Author, Virex-PC & FLU_SHOT+ Disclaimer: These are my opinions only. Chances are good that Microsoft thinks that Windows programming is good clean fun, building character or something..... ------------------------------ Date: 08 Apr 91 21:22:14 +0000 >From: jwagner@umaxc.weeg.uiowa.edu (Joseph Wagner) Subject: Possible HyperCard virus (mac) I'm hoping someone out there can help me. I have a user (I'm a consultant) who thinks he may have a virus. When he is using HyperCard 1.2.5 with a stack that is 300-400 K in size (it is just one specific stack) he is getting a lot of bombs. When he tries to script a new card for the stack he gets a bomb at various times as follows: As soon as he starts scripting When he tries to end the scripting His machine also freezes at times when he does the above. Sometimes the bomb is an out of memory error. All this work has been done on an SE/30 with 5mb of RAM and also on a IIci with 4mb RAM with the same results. Both machines are running system version 6.0.5. Any ideas would be greatly appreciated. Since this is within HC, I doubt if Disinfectant 2.4 will pick it up. He is currently trying Disinfectant. Thanks in advance. ___________________________________________________________________________ | Joseph Wagner | Life is divided into the horrible | | jwagner@umaxc.weeg.uiowa.edu | and the miserable - Woody Allen | ___________________________________________________________________________ ------------------------------ Date: Mon, 08 Apr 91 23:18:53 +0000 >From: mike@pyrite.SOM.CWRU.Edu (Michael Kerner) Subject: Script to kill new HC (and all other HC) viruses/trojans, etc. (Mac) Alright already! Enough with the EMAIL! Stop! First, I disagree that Dukakis was a virus since it lacked the capacity to replicate and spread - it would simply make one move and stop. I think it would be better to call it a trojan since it was disguised as somthing else (i.e. nude pictures). HOWEVER I DON'T CARE HOW WE CLASSIFY IT!!! I'VE GOTTEN LOTS OF MAIL ABOUT THIS NEW CRITTER, SO HERE IS A GENERAL PURPOSE SCRIPT THAT WILL STOP ALL KNOWN HC VIRUSES AND TROJANS. Install this script in your HOME stack (in the stack info) - if you run 2.0, and are redirecting the inheritence path to include a library, put it there. The only stipulation is that this be the only script that intercepts the SET command. If others intercept the command, then parts of this must be imbedded (if you can't figure it out, EMAIL me). on set -- primitive anti-HC trojan/virus protection if the params contains "script " then -- notice the space after script -- THE SPACE IS ESSENTIAL SINCE ANY BUTTONS THAT HAVE THE WORD "SCRIPT" -- IN THEM WILL SEND THIS MESSAGE WHEN THEY ARE HILITED, ETC. play "boing" answer the params with "YES" or "NO" if it is "YES" then pass set end if -- the params contains "script " then end set this will intercept all "set the script of " type commands. hope it helps... Mikey. mac admin wsom csg cwru mike@pyrite.som.cwru.edu ------------------------------ Date: Tue, 09 Apr 91 01:23:20 +0000 >From: chris@ec.uwa.OZ.AU (Christoph Uloth - operator) Subject: Protection of Sun PC-NFS server (UNIX) (PC) Does anyone have any experience in the protection of networks of PC's running an ethernet and served via a SUN using PC-NFS. How does one make the Sun secure from viral infection where users require read/write access to the networked disk? What is the recommended software that we should use in this case? thanks, Chris. Christoph Uloth Division of Commerce Economics Law & Education Systems Networks Officer University of Western Australia Phone: +61-9-380 2198 || +61-9-364 7181 Fax: +61-9-380 XXXX email: chris@comec.uwa.oz.au :-) ------------------------------ Date: 08 Apr 91 20:22:43 +0000 >From: lev@slced1.Nswses.Navy.Mil (Lloyd E Vancil) Subject: Re: Unix viruses and damaging programs (UNIX) VALDIS@VTVM1.CC.VT.EDU (Valdis Kletnieks) writes: to vancleef@iastate.edu (Van Cleef Henry H) >"Testing can show the presence of bugs, but not their absence." > >So if you DONT find anything, that does NOT prove your system is >clean, it only means that it's *either* clean *or* the intruder is a >step ahead of you. > >computer criminal. The best is so good that we'll never catch him. >If your system check (whatever its form) actually *finds* anything, >then it won't be an undetected breach anymore. A very scary thought when you consider that the bad guy in "The Cookoo's egg" was caught because of a billing error and the tenacity of one individual. The insights that book offers into the foilables of the typical system manager and the attitudes towards this type of thing are interesting. Would it be better to take for granted that your security has been breached and operate based on that? If you did make that assumption, what would you do to make a first level check? Trust.... - -- * suned1!lev@elroy.JPL.Nasa.Gov sun!suntzu!suned1!lev . lev@suned1.nswses.navy.mil + . + * S.T.A.R.S.! The revolution has begun! * - ----------------- My employer has no opinions. These are mine! --------------- - - ------------------------------ Date: Tue, 09 Apr 91 10:33:56 -0400 >From: Thomas DiBlasi Subject: Is virus infection by inserting floppy disk possible? (PC) (Mac) Hi, I've been monitoring Virus-l digest since December and now for the first time have a question. Is it possible for a virus, trojan, worm, etc. to infect a hard disk or RAM simply by inserting an infected floppy into a drive without execution?? I thought I saw something on how some PC's /MAC's can recognize the presence of a floppy after insertion without the benefit of an access command being entered. ------------------------------ Date: Tue, 09 Apr 91 11:31:57 -0400 >From: padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) Subject: Modems >From: pcsbbs!fff@uunet.uu.net >If I connect to a site where I always initiate the call, only exchange >email and receive netnews, am I subject to receiving a virus. My >modem is never left on and the port is not enabled for a login. With a single restriction, you are not subject to a virus under these conditions. The sole caveat being that you are not connected to a system the performs on-line updates to the communications software in your PC. (the PC software would have to permit this, it cannot be done unilaterally) Since I know of several commercial packages that appear to have this capability and do not know which you are using, the restriction may or may not apply. ------------------------------ Date: 9 April, 1991 >From: Padgett Peterson Subject: How big is the virus problem ?? >From: UMCKA04@VAXA.CC.IMPERIAL.AC.UK I have seen figures that seem reasonable from personal experience that large sites (over 1000 PCs) rarely have a month go by without a confirmed virus report. (and I am SICK of the Jerusalem and Stoned). ------------------------------ Date: 9 April, 1991 >From: Padgett Peterson Subject: MS-DOS Protection (PC) >From: mrs@netcom.com (Morgan Schweers) > Under MS-DOS, it's not possible to close all the security holes >without throwing out the OS and starting anew. Partly true: once you are under MS-DOS, you can't close all the holes (especially the undocumented ones), but if you start before MS-DOS and encapsulate it, you can come close enough for government work. I keep mentioning this since a good system starting at the BIOS level is able to creating a reasonably secure system. Once that is available, we can quit worrying about the next "super stealth" killer virus that infects extended memory and get back to some real work. For all of its faults, there are a lot of good things to be said about MS-DOS since it has transformed the way we think about computers. The biggest is that it demonstates the law of quantum economics: The market forces change until something becomes "Good Enough", once this occurs, the market becomes resistant to change and rewards only improvement. A good example is the proliferation of pointing devices (mice, trackballs, pens, etc.) that just shows that "Good Enough" has not appeared yet. Similarly, the plethora of menuing schemes that existed before Windows 3.0 was another example that has now resolved. It will be interesting to see how MAC 7.0 is received. ------------------------------ Date: 9 April, 1991 >From: Padgett Peterson Subject: Need help with Beijing Virus (PC) >From: EMERSON@TURING.SDC.TASC.COM >...and is infecting any diskette I happen to boot with... The "Bloody" (apologies to UK readers) virus cannot remain resident through a cold (power off) boot from an uninfected floppy in a normal PC. period. If it is, then something strange is going on (like a BIOS that forces boots from C & I hope the readers understand the implications of this in view of some earlier discussions). This virus is similar to the STONED and functions in much the same way. The original partition table/code (MBR) is stored at cyl 0 head 0 sector 6 and a good technician or the current version of McAfee's SCAN/CLEAN will take care of the problem. When resident, it can be detected by the si...(oops, promised no more mention of my "primitive" technique) by CHKDSK which will report a loss of 2k from the TOM (640k machine will report 653312 "total bytes memory" instead of 655360. If in memory, it must be removed (through clean reboot) for any disinfection to be effective. Note: as in any infection of this type, it is essential that all infected diskettes (and there must be at least ONE or there is a bigger problem) be found and disinfected else you will get a lot of practise in removal. Warmly, Padgett ------------------------------ Date: Tue, 09 Apr 91 10:15:34 -0500 >From: James Ford Subject: McAfee files v76 (PC) The following McAfee files have been uploaded to mibsrv: scanv76.zip clean76.zip netscn76.zip vshld76.zip Users who can not FTP directly can send mail to JFORD@MIB333.MIB.ENG.UA.EDU for uuENcoded files. Mail to JFORD@UA1VM will *NOT* get the files. :-) - ---------- James Ford - JFORD@UA1VM.UA.EDU, JFORD@mib333.mib.eng.ua.edu The University of Alabama (in Tuscaloosa, Alabama) ------------------------------ Date: Tue, 09 Apr 91 16:01:00 -0500 >From: "Sant." Subject: Questions concerning IBM anti-viral programs I'm wondering what is the most efficient virus detector/remover available. I currently execute SCAN.EXE version 75 automatically upon boot-up. I've seen commercial programs, such as, Virex and Norton AntiVirus. Are these so superior that I should pay $90? Is there a virus checker which would scan programs executed under Windows 3.0? +------------------------------------------------------------------------------ + | Santanu Sircar BITNET: ssircar@umaecs.bitnet | | University of Massachusetts/Amherst INTERNET: ssircar@ecs.umass.edu | +------------------------------------------------------------------------------ + ------------------------------ Date: Tue, 09 Apr 91 14:34:28 -0800 >From: axtlp@acad2.alaska.edu Subject: Virus Program Information request Hello. I need information regarding the different virus protection programs for both the Macintosh and the IBM pc. I'd appreaciate it if you would send me your opinions on which are the best programs and their plus's and minus's. [Ed. You may want to start by reading the various PC and Mac independent product reviews in the VIRUS-L/comp.virus archives. They're available by anonymous FTP from cert.sei.cmu.edu in the pub/virus-l/docs/reviews directory.] Thank you for your help Tam Pikey axtlp@alaska.bitnet axtlp@acad2.alaska.edu ------------------------------ Date: Tue, 09 Apr 91 08:28:00 -0800 >From: Michael_Kessler.Hum@sfsuvax1.sfsu.edu Subject: Stoned virus (PC) I was having problems with Vidram by QEMM on a Zenith 386 SX. It would not load properly for a couple of days, using the same unchanged batch files. I ran F-FCHK and F-Disinf on the machine, and the Stoned virus was removed. However, F-DRIVER (of F-PROT 1.14) is installed on the machine, and it did not detect it. The machine had been cleaned before installing F-DRIVER. 1.13 worked sucessfully at detecting the STONED virus. Is there a detection problem with F-DRIVER from F-PROT 1.14? ------------------------------ Date: Tue, 09 Apr 91 20:01:10 -0400 >From: Subject: Do I have a virus? (PC) My computer's been locking up on me for about a week now and it's driving me NUTS! Every once in a while, it will just lock up and say Divide overflow. I then have to reset (warm reboot doesn't work - I'm using an IBM compatible by the way). I have one program (TrakBlaster for my soundblaster) that will lock it up every time - but other programs that do the same thing don't. If I load up Turbo C, I can run it all day with no problem, but if I exit it and start running some other programs the thing freezes. It seems to be based on the number of different programs executed instead of on a time limit. Has anyone out there had this problem or is this more likely to be just a hardware problem? I've tried several shareware virus detectors but none of them have found anything - of course none of them could find the test virus signature in the program that came with tbscanx either. Does anybody want to buy a computer - cheap? ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 57] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253